Server-Side Phishing: How Credential Theft Campaigns Are Hiding in Plain Sight

This report analyzes an active credential-phishing campaign that hosts cloned employee and member login portals using a PHP phishing kit (xxx.php) and server-side validation (check.php) to exfiltrate usernames, passwords, and OTPs; operators host multiple spoofed domains across IPs 80.64.30.100/101 (Chang Way Technologies ASN) and Cloudflare, use tactics to evade detection (server-side checks, simulated 2FA, decoy pages), and provide IOCs and hunting recommendations such as monitoring POSTs to xxx.php/check.php and requests containing type=3.